Guccifer 2.0 - DCLeaks - APT 28

By Adam Carter --- April 17th, 2017

The DCLeaks - APT 28 Attribution

DCLeaks was a site established last year, at the beginning of June (with the domain initially registered on April 19th). Initially, it began publishing leaks covering emails from members of the US government and military.

APT28 (also known as: Fancy Bear, Pawn Storm, Sofacy, Sednit and STRONTIUM) is a name given to an "Active Persistent Threat" group discovered in October of 2014 and thought to have been operational for anything up to a decade prior to this. - The "APT28" designation is effectively a collective term for the group and all of the Internet infrastructure they make use of. APT28 is considered by various cyber-security firms to be linked to the Russian military intelligence agency GRU.

In the first quarter of 2016, a breach at the DNC was reported by CrowdStrike (a cyber-security firm hired by the DNC). In that report, CrowdStrike essentially blamed APT28 for the hack.

Other examples cited included things like DCLeaks using a free webmail service to initially register their domain (via the "@europe.com" domain, operated by 1&1) and it is noted that "@europe.com" was the same free webmail provider that was used by whoever registered a dodgy 'misdepartment' domain (which was attributed to a phishing attack considered to originate from APT28).

So it seemed there was at least some overlap on service providers and name servers historically (if the assumptions/suspicions of various domains being part of APT28 are correct).

Certainly the overlaps are noteworthy, it does seem to hint that there could easily be an association between them, but... even if domains suspected of being a part of APT28 have used the same service providers or name servers that DCLeaks started using at a later date - it's not proof of a direct link between them and relies to a degree on guilt-by-assocation.

However, whether you are or aren't convinced by the DCLeaks-APT28 attributions, there is another association in the chain that needs scrutiny.

The DCLeaks 'Leadership' - Guccifer 2.0 Attribution

On 27 June, 12 days after its initial appearance, Guccifer2.0 shared a password with the press that gave access to an area on DCLeaks listing leaks (mundane emails from Sarah Hamilton, apparently from a phishing attack she fell victim to).

As The Smoking Gun (TSG) concedes in their reporting, it's clear the password given them by Guccifer 2.0 gave limited access to the site. However, when TSG later inquired about leaks in a different (and 'protected' section of the site). DCLeaks, independently, seemed quite happy to release a password to TSG on the condition they'd write a story about the leaks.

Examples of links to the leadership given by ThreatConnect follow:

Guccifer 2.0 has not publicly mentioned or promoted DCLeaks. Only in private communications with TSG does Guccifer 2.0 reveal prior knowledge of DCLeaks.

If you're communicating apparent controversy with a well known publisher AND know that you're going to be revealed as a "Russian hacker" due to fabricated evidence you've planted there is no reason to expect it to remain a "private communication" for long. Instead, it becomes an attribution that would be expected to become public knowledge sooner or later.

Guccifer 2.0 is the first known entity to have prior knowledge of and privileged access to exclusive content (Sarah Hamilton Emails) on the DCLeaks webpage before it was publicly available.

If Guccifer 2.0 was also the uploader of the content - that would make perfect sense and if Guccifer 2.0 is a covert effort to poison-the-well of whistle blowers and leak sites (an extension of its apparent purpose to discredit Wikileaks as its actions on June 15th reveal it to be) - it would explain how the emails could have been sourced (internally) for the sake of forging a perceived attribution with DCLeaks.

Guccifer 2.0 claimed that DCLeaks is a Wikileaks subproject where there is no public evidence of any formal or informal relationships between DCLeaks and Wikileaks.

This of course adds credence to what I suggest above: that this was an extension of the effort to discredit Wikileaks and create false attribution in an effort to discredit leakers and whistle-blowers, tainting everything with an association to its faux-"Russian hacker" persona.

So... we've got a password for a section of the site that Guccifer 2.0 could have been provided and could have been the source of the content for.

While this certainly shows he communicated with DCLeaks before his email on 27th of June and had a password to access a portion of the site - what was there that specifically could link him to the administration or leadership of the DCLeaks site to a greater degree than a leak contributor?

To really see how tenuous the link between Guccifer2 and DCLeaks is we have to take a detour through a separate hacking incident in Florida and this is where things start to get strange...

BadWolf/Badvolf, DCLeaks & Guccifer 2.0

If you haven't heard of BadWolf/BadVolf you won't know that BadWolf was someone linked to a site critical of Palm Beach County Sheriff's Office under Ric Bradshaw on the domain "PBSOTalk.com" (a site originally founded by Mark Dougan, Ric Bradshaw's former deputy).

The agents were apparently there to investigate the recent hacking of thousands of names and addresses of law enforcement officers and others living in Palm Beach and Miami-Dade counties, which were published last month on a website founded by Dougan. A significant portion of the targeted individuals were FBI agents themselves. A few days after the first of these hacks, the local press reported that the sheriff’s office was launching an official investigation. One strange detail in those reports stuck out: The suspected hacker was apparently located in Russia, 5,000 miles from the beachfront county he targeted.

The man who claims to be responsible calls himself БадВолф, or BadWolf to his English-speaking friends and enemies. He lives in Moscow, where he works in IT for a local government agency (he won’t say which), and is alternately puckish and self-righteous when describing his strikes against American law enforcement. He says he lifted the Palm Beach names and addresses from a database maintained by the county property appraiser and published it as retaliation against the Palm Beach County Sheriff’s Office, which he believes is a deeply corrupt institution. The Miami-Dade address dump, which was published weeks later, also appears to target the PBSO

So, it would seem, a Russian hacker, working in a local government agency, going by the name of BadWolf had hacked into databases and posted them to Dougan's site.

Fast forward to September 25th, 2016 - PBSOTalk.com has since been taken down following the FBI investigating and apparently resurrected as PBSOTalk.ru (however, the contact details are private and no longer associated to the original domain's registrant, see below).

Unsurprisingly, I asked for some proof. But when BadVolf attempted to provide me with copies of all the emails – including, he said, emails that had not yet appeared on WikiLeaks, he was unable to do so, and said he needed to contact Guccifer2.0, who, to my surprise, showed up in our chat to provide a new link where I was able to download everything. But there was nothing in what I downloaded that hadn’t already appeared on WikiLeaks. Despite repeated requests, I was not given any material that might have proved I was dealing with those who had had access to Clinton’s email server or Democrats.org

and later:

why couldn’t BadVolf provide me with the kind of proof requested to prove that he had access to DCLeaks? BadVolf’s explanation – that he was the database guy and not the web server guy, was not totally convincing to those who reviewed the mp4 files he provided.

This descends into madness with Guccifer 2.0 and BadVolf providing what they claim are login details from the DNC but these logins date from before the DNC hack was detected and passwords changed (so they were passwords that couldn't be verified!)

According to them, Hillary Clinton's passwords included "LeadTheSheeple2016" and Bill was using "Saxaphone1994%" as his password.

It also turns out that the BadVolf, in this instance, claimed to work for an Insurance company rather than work in a local government agency (as previously claimed before the FBI raid on Dougan, the domain being seized and the FBI investigating)

Conclusion: Conflation Confusion

So... we've got the fact Guccifer 2.0 had a password to the Sarah Hamilton leaks on DCLeaks (which he could have been provided and may have been responsible for uploading content to) and we have a bizarre theatrical performance using multimedia props that BadWolf/BadVolf (or a BadWolf imposter) and Guccifer 2.0 seem to have put on for the benefit of databreaches.net

Do BadWolf, Guccifer 2.0 and the MP4s prove DCLeaks-Guccifer2.0 collusion? - No, they demonstrate yet another example of trying to bamboozle reporters with easily fabricated materials and, as the databreaches article reports, fail to actually demonstrate a genuine breach of access through any independently verifiable means, coming up with excuses when such evidence is requested.

Do either of these things prove any definitive ties between Guccifer 2.0 and the DCLeaks.com site's leadership beyond Guccifer 2.0 providing uncontroversial Hamilton leaks? - No, of course not!

So... are either of these things proof that Guccifer 2.0 is linked to APT 28? - It doesn't seem so.

We can just see that during September, there was an apparent effort to create a perception of an association by someone (possibly 2 people) making specious claims, lacking verifiable evidence and only capable of producing evidence in a format that is very easy to fabricate..

Fortunately, in this instance, 'Dissent' was more savvy than some other journalists had been and instead of reporting this as a believable incident with credible hackers, the whole incident was reported as the bizarre & questionable performance that it was.

NOTE: Because of how unusual the whole databreaches.net incident seems, I have sent further inquiries to 'Dissent' and will update this article with any new & relevant information he can provide.